Thus, it did not come too much as a surprise when the Locky ransomware was tied to Dridex two years ago, when ransomware was booming. Locky became a top threat fast, catching a lot of attention from the security community as well, and its developers attempted alternatives such as Bart in 2016 and Jaff in May 2017.

Now, security researchers have tied yet another ransomware family to the Dridex authors, namely FriedEx, which is also known as BitPaymer.

This ransomware was initially discovered in July 2017 and made it to the headlines in August, when it infected NHS hospitals in Scotland.

Mainly focused on high profile targets and companies rather than end users, the malware is typically delivered via Remote Desktop Protocol (RDP) brute force attacks. Once it has managed to infect a system, the malware encrypts each file on it with a randomly generated RC4 key (which it then encrypts using a hardcoded 1024-bit RSA public key and saves it in a .readme_txt file).

While analyzing FriedEx, ESET discovered that it features code resemblance to Dridex. The ransomware also uses the same techniques as the banking Trojan, hiding as much information about its behavior as possible.

The malware “resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis,” ESET explains.

The researchers discovered that the very same part of a function used for generating UserID that is present across all Dridex binaries can be found in the FriedEx binaries as well. The order of the functions in the binaries is the same in both malware families, which suggests they use the same codebase or static library.

Both Dridex and FriedEx use the same malware packer, but that is not proof that they are connected, since other well-known families like QBot, Emotet or Ursnif also use it.

ESET also discovered that samples of both Dridex and FriedEx include PDB (Program Database) paths, which revealed that their binaries are being built in the same, distinctively named directory. The binaries of both Dridex and FriedEx are compiled in Visual Studio 2015.

Some binaries for both projects revealed the same date of compilation, and the researchers say this isn’t coincidence. The samples have time differences of several minutes at most and feature identical randomly generated constants (these constants change with each compilation to hinder analysis), which suggests they were probably built during the same compilation session.

“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers. This discovery gives us a better picture of the group’s activities – we can see that the group continues to be active and not only consistently updates their banking Trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware “trends”, creating their own ransomware,” ESET says.